An AI Found the 'HTTP/2 Bomb' (CVE-2026-49975) That Downs Web Servers in Seconds

A single ordinary home computer can knock the world's major web servers offline in just seconds by abusing a newly disclosed flaw (a security defect). Named the "HTTP/2 Bomb," it is tracked as CVE-2026-49975, and on one of the most widely used web servers in the world, Apache HTTP Server, it was fixed in version 2.4.68, released on June 8, 2026. In Japan, JPCERT/CC issued an advisory the same day via the JVN vulnerability portal (JVNVU#99913823).

What surprised people most was how it was found. The flaw was spotted not by a human researcher but by OpenAI's AI "Codex," which connected two techniques that had been known for over a decade. A proof-of-concept (PoC) is already public, and the discoverers report that over 880,000 servers are exposed on the internet. The impact is not limited to Apache: it spans the major web servers that use HTTP/2 — nginx, Microsoft IIS, Envoy, and more.

This article explains, in plain terms, what the HTTP/2 Bomb does, why an AI found it before humans did, what your own server needs to fix (including the other flaws bundled into Apache 2.4.68), and what to do now. Note that this is not a data-theft flaw — it is the kind of attack that takes a service down.

Which versions are affected, and how to update

Here is the bottom line. On Apache HTTP Server, all versions from 2.4.17 through 2.4.67 — which include the HTTP/2 component (mod_http2) — are affected by the HTTP/2 Bomb, and updating to 2.4.68 closes it. That 2.4.68 release also bundles fixes for a total of 13 vulnerabilities, including the HTTP/2 Bomb (CVE-2026-49975). You can check your version by running httpd -v or apache2 -v on the server.

Most organizations and individuals run Apache through the packages shipped by their OS (a Linux distribution such as Ubuntu, Debian, or RHEL). In that case, the distribution releases an update that incorporates the fix, so a normal update via apt or dnf applies it. If you cannot update right away, temporary mitigations (such as disabling HTTP/2) are covered below. If you are not using HTTP/2 at all, the HTTP/2 Bomb itself does not affect you.

What happens: one home PC silences a large server in seconds

HTTP/2 is a newer communication protocol, standardized in 2015 to make web pages load faster, and it is now used by a large share of sites. The HTTP/2 Bomb abuses two mechanisms built into it to exhaust the server's memory all at once and drive it into an unresponsive state. It is not data theft or takeover (code execution); it is a denial-of-service (DoS) that stops the service itself. The technical category is "memory allocation with an excessive size value" (CWE-789).

The frightening part is the efficiency. According to Calif.io's write-up, a home computer on an ordinary 100 Mbps connection can render a vulnerable server inaccessible within seconds. The attacker sends only a trickle of data, yet on the server side each byte balloons into up to thousands of bytes of memory — a single connection can be made to consume 32 GB in 10 to 45 seconds in the researchers' tests. The attack requires no login (no authentication), so any server reachable over HTTP/2 from the outside can be a target.

The mechanism combines two classic, long-known tricks. The first abuses "HPACK" header compression: seed one large header into the server's temporary table, then send a one-byte "use that header again" instruction thousands of times, and the server expands each one into large data. The second abuses "flow control," which paces data: the attacker tells the server it "can't receive any more," deliberately preventing the response from completing and keeping the memory pinned. Stack the two and a tiny amount of traffic holds huge amounts of memory for a long time, until the server gives out.

Who wants this bug, and what do they walk off with

"If no data is stolen, how bad can it be?" you might think. But what this flaw strikes is not information — it is the simple fact that your site or service is up and running. The ease of taking down a major server with a single cheap connection looks deeply attractive to certain people. The ones who go after it are repeat DoS-extortion crews who hold a site hostage for money, rival operators who want to knock out a competitor's sales or bookings at peak hours, hacktivists who want to silence a target site to make a point, and intruders who want to briefly take down monitoring and service to distract from a real break-in or data theft. What they take is not the contents but the hours your users could have reached you. The moment an HTTP/2 Bomb request is sent in, your site can be quietly knocked out at exactly the busiest hour of the day.

The damage does not end at one downed box. An online store takes no orders, a booking site stops accepting reservations, a business system stalls work inside and outside the company at once. More troubling is the pattern where the outage is used as a "diversion" — staged while operators' hands and attention are consumed by recovery, so the attacker can push the real ransomware or intrusion. During the tens of minutes a server is down and monitoring is thin, a serious attack can advance through another entrance — and that does happen in the real world.

And the loss from the downed service, plus the cleanup, lands on the operator and IT team that run the site. They shoulder the lost revenue, apologies and support inquiries, root-cause analysis and recovery, broken service-level promises (SLAs) with partners, and the accountability of "why was the update put off." Apache's severity label here is not the top tier but "Moderate." Yet when the conditions line up — cheap to launch, no authentication, and a public proof-of-concept — a low label is no reason to wait. Whether you can apply the fix now that it is out decides whether you end up on the receiving end.

Why an AI found it before humans did

What caught the technical world's attention was less the flaw than the fact that an AI found it. The two tricks behind the discovery — abusing header compression and stalling the response via flow control — had each been individually known for more than a decade. What OpenAI's coding assistant "Codex" saw was the single point that combining the two yields an outsized destructive effect. The discoverers reflected that "the combination is obvious once you see it, and yet as far as we can tell no human had put it together."

This is less a case of AI inventing unknown theory from scratch than of quickly connecting known parts that humans had overlooked, drawing on a vast base of prior work. Still, the implication is not small. Vulnerability discovery may change sharply in speed and volume with AI, and if attackers use it, overlooked combinations of old mechanisms could be weaponized one after another. The AI arms race is accelerating on both offense and defense. This time AI worked for the defenders (finding and fixing), but it is also a warning that the reverse is entirely possible.

Not just Apache: where the major web servers stand

The HTTP/2 Bomb is less a bug in one product than a weakness lurking in implementations of the HTTP/2 protocol itself. So it cut across the major web servers, and each product responded on its own timeline after coordinated disclosure. The table sums up the status known as of publication.

In other words, "just fix Apache and you're done" does not hold. You need to inventory what you run at the front of your stack — nginx, a reverse proxy, a load balancer, or a cloud edge — and check each one's latest guidance. Apache accounts for over a fifth of the world's web servers, and HTTP/2 is used as a de facto standard, so affected configurations are far from rare.

2.4.68 also fixes 12 other flaws. Which ones hit you?

Apache 2.4.68 bundles 12 other vulnerabilities beyond the HTTP/2 Bomb. All are rated Moderate or Low by Apache, with nothing that lets a server be taken over, but some may apply depending on the features you use. A notable one for shared-hosting customers is CVE-2026-44119: someone able to write a crafted per-site config file (.htaccess) could read another tenant's files that should be invisible to them — a privilege-escalation flaw that matters most to hosts where one server is shared by many users.

Others apply only to specific setups — memory corruption when reverse-proxy features (the mod_proxy family) process a malicious backend response (such as CVE-2026-34355), or an information leak in SSL certificate checking (CVE-2026-44185). The full list is in Apache's official vulnerability page. Even without time to triage each one, the conclusion is the same: "updating to 2.4.68 closes all 13." Rather than dissecting your configuration in detail, moving to the latest version is the reliable move.

From disclosure to fix

Because the HTTP/2 Bomb spans multiple web servers, it was disclosed in stages as each product readied its response. The Apache-side fix arrived in full as Apache HTTP Server 2.4.68 on June 8. Here is the timeline.

← swipe to move

How to read the current risk

Soberly, what happens is "service downtime," not data theft or takeover, and broad exploitation has not been confirmed. On the other hand, the conditions — unauthenticated, cheap to launch, with public PoC, and 880,000 servers exposed — mean the bar to attack is very low. Applying the fix now that it is out is the cheapest, most reliable choice — far better than scrambling once abuse begins.

What to do now

If you run a web server, the work is mostly updating. Here are the steps.

• Check your Apache version (httpd -v / apache2 -v); if it is earlier than 2.4.68, treat it as affected
• For OS-shipped Apache, update via apt / dnf; confirm your distribution has incorporated the fix
• If you cannot update immediately, consider temporary mitigations: disable HTTP/2 if it is not needed, or limit headers and memory per connection
• Inventory the software you run at the front of the stack — nginx, reverse proxies, load balancers, cloud edges — and check each one's latest guidance
• Watch for sudden memory spikes and response delays; strengthen logging and resource monitoring for signs of rapid memory exhaustion

Give priority to web servers that face the internet directly and to public sites with HTTP/2 enabled. Because the attack succeeds simply by sending crafted traffic to a reachable HTTP/2 endpoint, leaving it exposed raises the risk. If you run multiple servers, inventory them and roll out the update together.

FAQ

Summary

CVE-2026-49975, the "HTTP/2 Bomb," is a denial-of-service flaw that lets even a single home computer on a cheap connection drive Apache and other major web servers into unresponsiveness within seconds. It is not data theft or takeover, but it is unauthenticated, needs little traffic, ships with a public proof-of-concept, and the discoverers report 880,000+ servers exposed on the internet. Apache fixed it — along with 12 other flaws, 13 in total — in version 2.4.68, released on June 8, 2026.

The case also drew attention because an AI, not a human, first realized that combining two decade-old tricks turns dangerous — a sign that vulnerability discovery is entering an era of greater speed and volume. If you run a web server, check your version and update to 2.4.68 or later, and review the front-of-stack software such as nginx and proxies too. The bar to attack is too low to put this off just because no data leaks.

Sources

• ▸JVN - JVNVU#99913823 (Apache HTTP Server 2.4 multiple vulnerabilities update)
• ▸Apache HTTP Server 2.4 vulnerabilities (Fixed in 2.4.68)
• ▸NVD - CVE-2026-49975
• ▸Calif.io - Codex discovered a hidden HTTP/2 Bomb (discoverers' write-up)
• ▸oss-sec mailing list - CVE-2026-49975 disclosure
• ▸CWE-789: Memory Allocation with Excessive Size Value
• ▸W3Techs - Apache usage share